A Mechanism for Requesting Hierarchical documetns in XACML

Sensitive information is increasingly becoming more accessible. Access control is a mechanism that is widely used to protect such information. Extensible Access Control Markup Language (XACML) is one of the most prominent access control policy languages. The XACML core specification defines an entity called the policy decision point (PDP) for evaluating policies to make a decision on incoming access requests. The problem is that this process is performed for one resource at a time. This hinders system performance greatly, especially in ubiquitous applications where performance is critical. We propose a mechanism for reducing the overhead performance costs when multiple resources are requested (i.e. the entire hierarchical or entire sub-hierarchical document) by applying the post-condition concept, in the form of "transformations" (as defined in the Common Policy), to filter the requested document.

[1]  Jonathan D. Rosenberg,et al.  A Data Model for Presence , 2006, RFC.

[2]  Heejo Lee,et al.  Activity-based Access Control Model to Hospital Information , 2007, 13th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA 2007).

[3]  Morris Sloman,et al.  Policy driven management for distributed systems , 1994, Journal of Network and Systems Management.

[4]  Andreas Matheus,et al.  How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[5]  Henning Schulzrinne,et al.  RPID: Rich Presence Extensions to the Presence Information Data Format (PIDF) , 2006, RFC.

[6]  Jonathan D. Rosenberg,et al.  Presence Authorization Rules , 2007, RFC.

[7]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[8]  Shengsheng Yu,et al.  The Dynamic Endpoint-Based Access Control Model on VPN , 2007, 2007 International Conference on Networking, Architecture, and Storage (NAS 2007).

[9]  Babak Sadighi Firozabadi,et al.  Overriding of Access Control in XACML , 2007, Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07).

[10]  B. Clifford Neuman,et al.  The specification and enforcement of advanced security policies , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.

[11]  M. Fragkakis,et al.  Comparing the Trust and Security Models of Mobile Agents , 2007 .

[12]  Henning Schulzrinne,et al.  Common Policy: A Document Format for Expressing Privacy Preferences , 2007, RFC.

[13]  Ernesto Damiani,et al.  Securing XML Documents , 2000, EDBT.

[14]  Michiharu Kudo,et al.  XML document security based on provisional authorization , 2000, CCS.

[15]  Kenneth Salem,et al.  Compact Access Control Labeling for Efficient Secure XML Query Evaluation , 2005, 21st International Conference on Data Engineering Workshops (ICDEW'05).

[16]  Jon Peterson,et al.  Presence Information Data Format (PIDF) , 2004, RFC.

[17]  Ning Zhang,et al.  A Purpose-Based Access Control Model , 2007, Third International Symposium on Information Assurance and Security.

[18]  Sun-Moon Jo,et al.  Access control model for secure XML documents , 2005, Fourth Annual ACIS International Conference on Computer and Information Science (ICIS'05).